Critical zero-day authentication bypass (CVE-2026-41940, CVSS 9.8) in cPanel & WHM and WP Squared is actively exploited in the wild. Attackers gain admin access via CRLF injection in session handling. Patch immediately—1.5M instances exposed.

In brief - A severe authentication bypass flaw in cPanel & WHM/WP Squared (CVE-2026-41940) allows unauthenticated remote attackers to gain admin access. Exploitation is confirmed, with 1.5M systems at risk. Patching is urgent.

Technically - CVE-2026-41940 stems from a CRLF injection in the `cpsrvd` daemon’s session file handling. Attackers manipulate the `whostmgrsession` cookie via crafted basic auth headers to inject `user=root` into session files, bypassing authentication. Affects cPanel & WHM 11.110.0–11.136.0 and WP Squared 11.136.1. PoC exploit published; no effective workarounds.

Source: https://www.rapid7.com/blog/post/etr-cve-2026-41940-cpanel-whm-authentication-bypass

#Cybersecurity #ThreatIntel